Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Phoenix Exploit's Kit

View all posts > 

Phoenix Exploit's Kit

Posted: 03 Jan 2011 11:22 PM | Chris Astacio | no comments

Phoenix Exploit's Kit, also known as PEK, dates back to 2007, which makes it one of the older and more successful exploit kits available on the black market.  The kit is implemented using PHP and a MySQL back end database.  The database is used to collect statistical data gathered from visitors of the attack page.  One such piece of information is the client IP address.  This information is logged so that the kit only serves up its attack page once per IP address.  The attack PHP page gathers other statistics from the visiting computer such as the browser type and the operating system of the visiting machine.  Based on this information, the kit serves up one of a number of pages designed to exploit the visiting computer by launching a number of different exploits.  If one of the exploits is successful, an executable is fetched from the same domain on which the kit is hosted.  The executable can be any type of malware that the purchaser of the kit chooses to infect victims with.


More Details:

Phoenix Exploit Kit's Random Access Obfuscation

Installation Protection Mechanisms of Phoenix Exploit's Kit


Here is a screen shot of the login page:


Here is a screen shot of the statistics page (No visitors yet):



Below is a running list of vulnerabilities that have been used with Phoenix:

Adobe Reader CollectEmailInfo Vulnerability CVE-2007-5659
Adobe Reader Collab GetIcon Vulnerability CVE-2009-0927
Adobe Reader LibTiff Vulnerability CVE-2010-0188
Adobe Reader newPlayer Vulnerability CVE-2009-4324
Adobe Reader util.printf Vulnerability CVE-2008-2992
Adobe Flash Integer Overflow in AVM2 CVE-2009-1869
IE MDAC CVE-2006-0003
IE iepeers Vulnerability CVE-2010-0806
IE SnapShot Viewer ActiveX Vulnerability CVE-2008-2463
Java HsbParser.getSoundBank (GSB) CVE-2009-3867
Java Runtime Environment (JRE) CVE-2008-5353


Adobe Flash Player Remote Code Execution Vulnerability (NPSWF32.dll plugin) CVE-2011-0611
Oracle Java Applet Rhino Script Engine Remote Code Execution  CVE-2011-3544


Leave a Comment


Email address: (required)